- within Food, Drugs, Healthcare, Life Sciences and Privacy topic(s)
- with readers working within the Insurance industries
Executive Summary
2 Minute Read
Our Health Care and Privacy, Cyber & Data Strategy groups review the status of the proposed update to the HIPAA Security Rule.
- The proposed changes to the HIPAA Security Rule include prescriptive, strict security requirements
- The rule's finalization remains on the Department of Health and Human Services Office for Civil Rights' regulatory agenda for May 2026
- Stakeholders should prepare for what could be a transformational change to their HIPAA security programs
Since the Department of Health and Human Services Office for Civil Rights' (OCR) publication of a proposed rule to overhaul the HIPAA Security Rule in January 2025, many in the health care privacy community have wondered whether the rule would quietly fade away. Some even hoped it might be dead in the water. However, despite sharp criticisms and industry pushback, recent developments confirm that the OCR has kept the rule's finalization on its official regulatory agenda for May 2026.
We provided an in-depth look at what the proposed rule could mean for covered entities and business associates here. If the rule is finalized as proposed, it would mean a radical shift in how the security rule is applied—moving away from a flexible approach to account for the various types of regulated entities to a more rigid approach with some prescriptive, strict security requirements that could be difficult to fulfill. The OCR itself estimated that in just the first year, compliance across all covered entities and business associates would cost $9 billion. Moreover, regulated entities might not have as much time as they desire from the final rule's publication date to come into compliance—if finalized as proposed, entities would have just 240 days.
It remains to be seen exactly when and to what extent the proposed rule will be finalized and to what extent the final rule takes into account the industry feedback provided. For now, stakeholders should prepare for what could be a transformational change to their HIPAA security programs.
Alston & Bird continues to track the proposed rulemaking. Please reach out to one of our health care or privacy attorneys to discuss further or for assistance in preparing your organization for potential changes.
AlstonHealth State Law Hub
Alston & Bird's Health Care team highlights state legislation and regulatory actions with direct implications for operations, reimbursement, privacy, and enforcement risk. Designed for in-house counsel, the tracker supports legal teams in proactively managing risk and aligning business strategy with a rapidly evolving state regulatory environment.
Learn more on the AlstonHealth State Law Hub.
Ransomware Fusion Center
Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
